The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Monday, February 28, 2005
Scott Bradner (a consultant with Harvard University's University Information Systems) recounts in NWFusion what are, in his view, the failings of ChoicePoint brought to light in the latest incident and hopes that it will lead to national mandates to protect personal information:
Dumber decisions - safer world?:
- "The company's validation procedures for permitting access to its databases was clearly inadequate. Maybe the company decided that it was too expensive to do things correctly - for example, by visiting all companies before granting access?
- ChoicePoint didn't tell any of the people whose data was stolen that that they were at risk for identity theft for almost five months. The company said it was the cops who didn't give a hoot about warning people that their good names were in eminent danger and told ChoicePoint not to tell anyone. Maybe, but ChoicePoint's later actions indicate that it was not exactly eager to do what was right.
- When ChoicePoint finally admitted that something had happened, the company downplayed it and said that the only people who were at risk were 35,000 or so Californians. Perhaps not coincidentally, California by law is the only state where people whose private information is exposed by such breaches must be notified .
- Only after considerable pressure, including a letter from 38 state attorneys general demanding that people at risk in their states also be notified, did ChoicePoint belatedly say it would send letters to 110,000 additional people. (One wonders if the attorneys general of the other states think that identity theft is OK.) Since that expansion, there have been news reports that the number of people whose data was accessed might exceed 500,000.
- ChoicePoint includes information that it doesn't need to in the reports it provides - such as a Social Security number in its personal property and personal auto reports (samples of which are on the company's Web page ). I understand the company might want to include the ability to look someone up using a Social Security number, but I don't understand why "
Labels: choicepoint, identity theft, information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.